Vulnerability Reportgocd/gocd-server:v23.5.0

gocd/gocd-server:v23.5.0

DIGESTsha256:7103d629a4f5e7f3905ee5e4685256e0f4d3facd57e035efffd78182fcc0efe7

Executive Summary

Threat ScoreDANGEROUS• 29 exposed surface vulnerabilities with severity ≥ 7.0, including multiple remote code execution (RCE) flaws.• Critical CVEs: CVE-2022-22965 (Spring Framework RCE), CVE-2026-34197 (ActiveMQ RCE via Jolokia), CVE-2024-32002 (Git submodule RCE).• High EPSS scores (e.g., 0.99677 for CVE-2022-22965) indicate active exploitation in the wild.• Container runs as a popular community image but is not officially verified, yet the vulnerability profile demands immediate action.

100/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (9M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could achieve remote code execution on the GoCD server through multiple vectors, such as exploiting Spring data binding (CVE-2022-22965) or ActiveMQ's Jolokia endpoint (CVE-2026-34197), potentially compromising the entire CI/CD pipeline and sensitive build artifacts. Disabling Git symbolic link support (core.symlinks=false) fully mitigates CVE-2024-32002, but the other critical vulnerabilities remain unaddressed without patching. Some flaws, like H2 console vulnerabilities, require non-default configurations to be exploitable, but the overall risk is still severe.

Vulnerabilities

Vulnerability Log

203 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2022-22965	CRITICAL10	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2016-1000027	CRITICAL10	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.0.0	32.3% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2022-22965	CRITICAL10	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 5.2.20.RELEASE, 5.3.18	99.7% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2024-32002	CRITICAL10	git 2.43.0-r0 fixed in 2.43.4-r0	25.3% High Exploitation Risk	Directly ExposedContext importance: HIGH
CVE-2026-34197	CRITICAL10	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.5, 6.2.3	96.3% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2024-6119	CRITICAL9.75	libcrypto3 3.1.4-r2 fixed in 3.1.7-r0	66.6% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2024-6119	CRITICAL9.75	libssl3 3.1.4-r2 fixed in 3.1.7-r0	66.6% Actively Exploited	Directly ExposedContext importance: HIGH
CVE-2026-40466	HIGH8.8	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.6, 6.2.5	4.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2021-42392	HIGH8	com.h2database:h2 1.4.200 fixed in 2.0.206	63.2% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-23221	HIGH8	com.h2database:h2 1.4.200 fixed in 2.1.210	64.8% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2022-22978	HIGH8	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.5.7, 5.6.4, 5.4.11	10.0% High Exploitation Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-48384	HIGH8	git 2.43.0-r0 fixed in 2.43.7-r0	2.8% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2024-1597	HIGH7.84	org.postgresql:postgresql 42.7.1 fixed in 42.2.28, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2	4.8% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-32004	HIGH7.8	git 2.43.0-r0 fixed in 2.43.4-r0	1.3% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2024-38819	HIGH7.8	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 6.1.14	54.9% Actively Exploited	Directly ExposedContext importance: MEDIUM
CVE-2026-2332	HIGH7.73	org.eclipse.jetty:jetty-http 10.0.19 fixed in 12.1.7, 12.0.33	0.5% Theoretical Threat	Directly Exposed
CVE-2024-52006	HIGH7.5	git 2.43.0-r0 fixed in 2.43.6-r0	1.0% Low-Moderate Risk	Directly ExposedContext importance: HIGH
CVE-2023-52425	HIGH7.5	libexpat 2.5.0-r2 fixed in 2.6.0-r0	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-28757	HIGH7.5	libexpat 2.5.0-r2 fixed in 2.6.2-r0	2.0% Low-Moderate Risk	Directly Exposed
CVE-2024-45490	HIGH7.5	libexpat 2.5.0-r2 fixed in 2.6.3-r0	1.7% Low-Moderate Risk	Directly Exposed
CVE-2024-8176	HIGH7.5	libexpat 2.5.0-r2 fixed in 2.7.0-r0	1.6% Low-Moderate Risk	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-client 5.18.3 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2025-27533	HIGH7.5	org.apache.activemq:activemq-openwire-legacy 5.18.3 fixed in 5.16.8, 5.17.7, 5.18.7, 6.1.6	8.6% Low-Moderate Risk	Directly Exposed
CVE-2022-22950	HIGH7.47	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.17, 5.2.20.RELEASE	36.7% High Exploitation Risk	Directly Exposed
CVE-2020-25638	HIGH7.4	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.4.24.Final, 5.3.20.Final	2.9% Low-Moderate Risk	Directly Exposed
CVE-2024-38821	HIGH7.4	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4	1.7% Low-Moderate Risk	Directly Exposed
CVE-2021-23463	HIGH7.28	com.h2database:h2 1.4.200 fixed in 2.0.202	3.3% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2021-22112	HIGH7.04	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 5.4.4, 5.3.8, 5.2.9	3.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2025-48976	MEDIUM6.89	commons-fileupload:commons-fileupload 1.5 fixed in 1.6.0	63.3% Actively Exploited	Directly Exposed
CVE-2024-22257	MEDIUM6.66	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.12, 5.8.11, 6.1.8, 6.2.3	0.8% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-40200	MEDIUM6.63	musl 1.2.4_git20230717-r4 fixed in 1.2.4_git20230717-r6	0.1% Theoretical Threat	Directly Exposed
CVE-2022-45868	MEDIUM6.63	com.h2database:h2 1.4.200 fixed in 2.2.220	0.3% Theoretical Threat	Directly Exposed
CVE-2023-6129	MEDIUM6.5	libcrypto3 3.1.4-r2 fixed in 3.1.4-r3	2.3% Low-Moderate Risk	Directly Exposed
CVE-2023-6129	MEDIUM6.5	libssl3 3.1.4-r2 fixed in 3.1.4-r3	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-29857	MEDIUM6.5	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-29857	MEDIUM6.5	org.bouncycastle:bcprov-jdk18on 1.77 fixed in 1.78	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-29857	MEDIUM6.5	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-8184	MEDIUM6.5	org.eclipse.jetty:jetty-server 10.0.19 fixed in 12.0.9, 10.0.24, 11.0.24, 9.4.56	1.0% Low-Moderate Risk	Directly Exposed
CVE-2019-14900	MEDIUM6.5	org.hibernate:hibernate-core 3.6.10.Final fixed in 5.3.18, 5.4.18, 5.5.0.Beta1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2023-20863	MEDIUM6.5	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.8, 5.3.27, 5.2.24.RELEASE	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-22259	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.5, 6.0.18, 5.3.33	2.6% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2024-22262	MEDIUM6.48	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.34, 6.0.19, 6.1.6	1.2% Low-Moderate Risk	Directly ExposedContext importance: MEDIUM
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-39304	MEDIUM6.38	org.apache.activemq:activemq-client 5.18.3 fixed in 5.19.4, 6.2.4	0.7% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.74 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2026-5588	MEDIUM6.38	org.bouncycastle:bcpkix-jdk18on 1.77 fixed in 1.84	0.3% Theoretical Threat	Directly Exposed
CVE-2024-30172	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2024-30172	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.77 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2024-30172	MEDIUM6.38	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2025-7962	MEDIUM6.38	org.eclipse.angus:smtp 2.0.2 fixed in 2.0.4	0.8% Theoretical Threat	Directly Exposed
CVE-2026-42198	MEDIUM6.38	org.postgresql:postgresql 42.7.1 fixed in 42.7.11	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41044	MEDIUM6.12	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.6, 6.2.5	0.8% Theoretical Threat	Directly Exposed
CVE-2025-26519	MEDIUM5.95	musl 1.2.4_git20230717-r4 fixed in 1.2.4_git20230717-r5	0.3% Theoretical Threat	Directly Exposed
CVE-2023-6237	MEDIUM5.9	libcrypto3 3.1.4-r2 fixed in 3.1.4-r4	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-5535	MEDIUM5.9	libcrypto3 3.1.4-r2 fixed in 3.1.6-r0	5.6% Low-Moderate Risk	Directly Exposed
CVE-2024-50602	MEDIUM5.9	libexpat 2.5.0-r2 fixed in 2.6.4-r0	1.0% Low-Moderate Risk	Directly Exposed
CVE-2023-6237	MEDIUM5.9	libssl3 3.1.4-r2 fixed in 3.1.4-r4	2.3% Low-Moderate Risk	Directly Exposed
CVE-2024-5535	MEDIUM5.9	libssl3 3.1.4-r2 fixed in 3.1.6-r0	5.6% Low-Moderate Risk	Directly Exposed
CVE-2024-45491	MEDIUM5.88	libexpat 2.5.0-r2 fixed in 2.6.3-r0	1.1% Low-Moderate Risk	Directly Exposed
CVE-2024-45492	MEDIUM5.88	libexpat 2.5.0-r2 fixed in 2.6.3-r0	1.4% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libcrypto3 3.1.4-r2 fixed in 3.1.8-r1	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-4741	MEDIUM5.6	libcrypto3 3.1.4-r2 fixed in 3.1.6-r0	2.9% Low-Moderate Risk	Directly Exposed
CVE-2025-9230	MEDIUM5.6	libssl3 3.1.4-r2 fixed in 3.1.8-r1	1.8% Low-Moderate Risk	Directly Exposed
CVE-2024-4741	MEDIUM5.6	libssl3 3.1.4-r2 fixed in 3.1.6-r0	2.9% Low-Moderate Risk	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.77 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2025-11143	MEDIUM5.52	org.eclipse.jetty:jetty-http 10.0.19 fixed in 12.0.31, 12.1.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22732	MEDIUM5.52	org.springframework.security:spring-security-web 4.2.20.RELEASE fixed in 6.5.9, 7.0.4	0.5% Theoretical Threat	Directly Exposed
CVE-2023-20861	MEDIUM5.52	org.springframework:spring-expression 4.3.30.RELEASE fixed in 6.0.7, 5.3.26, 5.2.23.RELEASE	1.0% Theoretical Threat	Directly Exposed
CVE-2024-0727	MEDIUM5.5	libcrypto3 3.1.4-r2 fixed in 3.1.4-r5	3.2% Low-Moderate Risk	Directly Exposed
CVE-2024-0727	MEDIUM5.5	libssl3 3.1.4-r2 fixed in 3.1.4-r5	3.2% Low-Moderate Risk	Directly Exposed
CVE-2025-11226	MEDIUM5.44	ch.qos.logback:logback-core 1.4.14 fixed in 1.5.19, 1.3.16	0.2% Theoretical Threat	Directly Exposed
CVE-2024-4603	MEDIUM5.3	libcrypto3 3.1.4-r2 fixed in 3.1.5-r0	1.1% Low-Moderate Risk	Directly Exposed
CVE-2025-59375	MEDIUM5.3	libexpat 2.5.0-r2 fixed in 2.7.2-r0	1.3% Low-Moderate Risk	Directly Exposed
CVE-2024-4603	MEDIUM5.3	libssl3 3.1.4-r2 fixed in 3.1.5-r0	1.1% Low-Moderate Risk	Directly Exposed
CVE-2025-4949	MEDIUM5.3	org.eclipse.jgit:org.eclipse.jgit 6.8.0.202311291450-r fixed in 7.2.1.202505142326-r, 7.1.1.202505221757-r, 7.0.1.202505221510-r, 6.10.1.202505221210-r, 6.0.0.202111291000-r, 5.13.4.202507202350-r	1.1% Low-Moderate Risk	Directly Exposed
CVE-2022-22970	MEDIUM5.3	org.springframework:spring-beans 4.3.30.RELEASE fixed in 5.2.22.RELEASE, 5.3.20	1.9% Low-Moderate Risk	Directly Exposed
CVE-2022-22968	MEDIUM5.3	org.springframework:spring-context 4.3.30.RELEASE fixed in 5.3.19, 5.2.21.RELEASE	5.4% Low-Moderate Risk	Directly Exposed
CVE-2024-30171	MEDIUM5.02	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.9% Theoretical Threat	Directly Exposed
CVE-2024-30171	MEDIUM5.02	org.bouncycastle:bcprov-jdk18on 1.77 fixed in 1.78	0.9% Theoretical Threat	Directly Exposed
CVE-2024-30171	MEDIUM5.02	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38808	MEDIUM5.02	org.springframework:spring-expression 4.3.30.RELEASE fixed in 5.3.39	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2024-2511	MEDIUM4.81	libcrypto3 3.1.4-r2 fixed in 3.1.4-r6	54.0% Actively Exploited	Directly Exposed
CVE-2024-2511	MEDIUM4.81	libssl3 3.1.4-r2 fixed in 3.1.4-r6	54.0% Actively Exploited	Directly Exposed
CVE-2024-25629	MEDIUM4.67	c-ares 1.22.1-r0 fixed in 1.27.0-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2023-52426	MEDIUM4.67	libexpat 2.5.0-r2 fixed in 2.6.0-r0	0.4% Theoretical Threat	Directly Exposed
CVE-2026-6042	MEDIUM4.67	musl 1.2.4_git20230717-r4 fixed in 1.2.4_git20230717-r6	0.2% Theoretical Threat	Directly Exposed
CVE-2024-12798	MEDIUM4.67	ch.qos.logback:logback-core 1.4.14 fixed in 1.5.13, 1.3.15	0.4% Theoretical Threat	Directly Exposed
CVE-2024-6197	MEDIUM4.5	libcurl 8.5.0-r0 fixed in 8.9.0-r0	4.3% Low-Moderate Risk	Post-Exploit
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk18on 1.74 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2025-8916	MEDIUM4.5	org.bouncycastle:bcpkix-jdk18on 1.77 fixed in 1.79	0.4% Theoretical Threat	Directly Exposed
CVE-2024-34447	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2025-8885	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.74 fixed in 1.78	0.5% Theoretical Threat	Directly Exposed
CVE-2024-34447	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.77 fixed in 1.78	0.8% Theoretical Threat	Directly Exposed
CVE-2025-8885	MEDIUM4.5	org.bouncycastle:bcprov-jdk18on 1.77 fixed in 1.78	0.5% Theoretical Threat	Directly Exposed
CVE-2025-8885	MEDIUM4.5	org.bouncycastle:bctls-jdk18on 1.74 fixed in 1.78	0.5% Theoretical Threat	Directly Exposed
CVE-2024-6763	MEDIUM4.5	org.eclipse.jetty:jetty-http 10.0.19 fixed in 12.0.12	1.0% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2024-38809	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 5.3.38, 6.0.23, 6.1.12	0.9% Theoretical Threat	Directly Exposed
CVE-2024-38820	MEDIUM4.5	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.14	0.6% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 4.3.30.RELEASE fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2024-7264	MEDIUM4.48	curl 8.5.0-r0 fixed in 8.9.1-r0	16.2% High Exploitation Risk	Post-Exploit
CVE-2024-7264	MEDIUM4.48	libcurl 8.5.0-r0 fixed in 8.9.1-r0	16.2% High Exploitation Risk	Post-Exploit
CVE-2024-29131	MEDIUM4.4	org.apache.commons:commons-configuration2 2.9.0 fixed in 2.10.1	2.1% Low-Moderate Risk	Directly Exposed
CVE-2024-29133	MEDIUM4.4	org.apache.commons:commons-configuration2 2.9.0 fixed in 2.10.1	1.7% Low-Moderate Risk	Directly Exposed
CVE-2026-1225	MEDIUM4.25	ch.qos.logback:logback-core 1.4.14 fixed in 1.5.25	0.2% Theoretical Threat	Directly Exposed
CVE-2025-48385	MEDIUM4.23	git 2.43.0-r0 fixed in 2.43.7-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2025-26465	MEDIUM4.08	openssh-client-common 9.6_p1-r0 fixed in 9.6_p1-r2	7.0% Low-Moderate Risk	Post-Exploit
CVE-2025-26465	MEDIUM4.08	openssh-client-default 9.6_p1-r0 fixed in 9.6_p1-r2	7.0% Low-Moderate Risk	Post-Exploit
CVE-2025-26465	MEDIUM4.08	openssh-keygen 9.6_p1-r0 fixed in 9.6_p1-r2	7.0% Low-Moderate Risk	Post-Exploit
CVE-2024-38827	MEDIUM4.08	org.springframework.security:spring-security-core 4.2.20.RELEASE fixed in 5.7.14, 5.8.16, 6.0.14, 6.1.12, 6.2.8, 6.3.5	0.4% Theoretical Threat	Directly Exposed
CVE-2025-26466	MEDIUM4.07	openssh-client-common 9.6_p1-r0 fixed in 9.6_p1-r2	38.5% High Exploitation Risk	Post-Exploit
CVE-2025-26466	MEDIUM4.07	openssh-client-default 9.6_p1-r0 fixed in 9.6_p1-r2	38.5% High Exploitation Risk	Post-Exploit
CVE-2025-26466	MEDIUM4.07	openssh-keygen 9.6_p1-r0 fixed in 9.6_p1-r2	38.5% High Exploitation Risk	Post-Exploit
CVE-2024-13176	MEDIUM4	libcrypto3 3.1.4-r2 fixed in 3.1.8-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-13176	MEDIUM4	libssl3 3.1.4-r2 fixed in 3.1.8-r0	0.6% Theoretical Threat	Directly Exposed
CVE-2024-32465	LOW3.98	git 2.43.0-r0 fixed in 2.43.4-r0	0.9% Theoretical Threat	Post-Exploit
CVE-2026-40200	LOW3.98	musl-utils 1.2.4_git20230717-r4 fixed in 1.2.4_git20230717-r6	0.1% Theoretical Threat	Post-Exploit
CVE-2026-41043	LOW3.91	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.6, 6.2.5	0.6% Theoretical Threat	Directly Exposed
CVE-2024-9681	LOW3.9	curl 8.5.0-r0 fixed in 8.11.0-r0	2.0% Low-Moderate Risk	Post-Exploit
CVE-2024-9681	LOW3.9	libcurl 8.5.0-r0 fixed in 8.11.0-r0	2.0% Low-Moderate Risk	Post-Exploit
CVE-2024-6387	LOW3.79	openssh-client-common 9.6_p1-r0 fixed in 9.6_p1-r1	99.5% Actively Exploited	Post-Exploit
CVE-2024-6387	LOW3.79	openssh-client-default 9.6_p1-r0 fixed in 9.6_p1-r1	99.5% Actively Exploited	Post-Exploit
CVE-2024-6387	LOW3.79	openssh-keygen 9.6_p1-r0 fixed in 9.6_p1-r1	99.5% Actively Exploited	Post-Exploit
CVE-2024-9143	LOW3.7	libcrypto3 3.1.4-r2 fixed in 3.1.7-r1	6.0% Low-Moderate Risk	Directly Exposed
CVE-2024-9143	LOW3.7	libssl3 3.1.4-r2 fixed in 3.1.7-r1	6.0% Low-Moderate Risk	Directly Exposed
CVE-2025-48924	LOW3.7	org.apache.commons:commons-lang3 3.14.0 fixed in 3.18.0	2.2% Low-Moderate Risk	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-broker 5.18.3 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2026-33227	LOW3.65	org.apache.activemq:activemq-client 5.18.3 fixed in 5.19.3, 6.2.2	0.4% Theoretical Threat	Directly Exposed
CVE-2024-32021	LOW3.62	git 2.43.0-r0 fixed in 2.43.4-r0	1.0% Theoretical Threat	Post-Exploit
CVE-2025-26519	LOW3.57	musl-utils 1.2.4_git20230717-r4 fixed in 1.2.4_git20230717-r5	0.3% Theoretical Threat	Post-Exploit
CVE-2023-51767	LOW3.57	openssh-client-common 9.6_p1-r0 fixed in 9.7_p1-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2023-51767	LOW3.57	openssh-client-default 9.6_p1-r0 fixed in 9.7_p1-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2023-51767	LOW3.57	openssh-keygen 9.6_p1-r0 fixed in 9.7_p1-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2024-11053	LOW3.54	curl 8.5.0-r0 fixed in 8.11.1-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-11053	LOW3.54	libcurl 8.5.0-r0 fixed in 8.11.1-r0	1.4% Low-Moderate Risk	Post-Exploit
CVE-2024-22243	LOW3.4	org.springframework:spring-web 4.3.30.RELEASE fixed in 6.1.4, 6.0.17, 5.3.32	4.0% Low-Moderate Risk	Directly Exposed
CVE-2024-8096	LOW3.31	curl 8.5.0-r0 fixed in 8.10.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2025-4947	LOW3.31	curl 8.5.0-r0 fixed in 8.14.0-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2024-8096	LOW3.31	libcurl 8.5.0-r0 fixed in 8.10.0-r0	0.7% Theoretical Threat	Post-Exploit
CVE-2025-4947	LOW3.31	libcurl 8.5.0-r0 fixed in 8.14.0-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2024-2379	LOW3.24	curl 8.5.0-r0 fixed in 8.7.1-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2024-2379	LOW3.24	libcurl 8.5.0-r0 fixed in 8.7.1-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2025-27614	LOW3.21	git 2.43.0-r0 fixed in 2.43.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2025-48386	LOW3.21	git 2.43.0-r0 fixed in 2.43.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2024-0853	LOW3.18	curl 8.5.0-r0 fixed in 8.6.0-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2024-2466	LOW3.18	curl 8.5.0-r0 fixed in 8.7.1-r0	1.3% Low-Moderate Risk	Post-Exploit
CVE-2025-9086	LOW3.18	curl 8.5.0-r0 fixed in 8.14.1-r2	1.3% Low-Moderate Risk	Post-Exploit
CVE-2024-2004	LOW3.18	curl 8.5.0-r0 fixed in 8.7.1-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2024-0853	LOW3.18	libcurl 8.5.0-r0 fixed in 8.6.0-r0	1.1% Low-Moderate Risk	Post-Exploit
CVE-2024-2466	LOW3.18	libcurl 8.5.0-r0 fixed in 8.7.1-r0	1.3% Low-Moderate Risk	Post-Exploit
CVE-2025-9086	LOW3.18	libcurl 8.5.0-r0 fixed in 8.14.1-r2	1.3% Low-Moderate Risk	Post-Exploit
CVE-2024-2004	LOW3.18	libcurl 8.5.0-r0 fixed in 8.7.1-r0	1.7% Low-Moderate Risk	Post-Exploit
CVE-2024-2398	LOW3.1	curl 8.5.0-r0 fixed in 8.7.1-r0	36.1% High Exploitation Risk	Post-Exploit
CVE-2024-2398	LOW3.1	libcurl 8.5.0-r0 fixed in 8.7.1-r0	36.1% High Exploitation Risk	Post-Exploit
CVE-2025-9232	LOW3.1	libcrypto3 3.1.4-r2 fixed in 3.1.8-r1	2.0% Low-Moderate Risk	Directly Exposed
CVE-2025-9232	LOW3.1	libssl3 3.1.4-r2 fixed in 3.1.8-r1	2.0% Low-Moderate Risk	Directly Exposed
CVE-2023-42363	LOW2.8	busybox 1.36.1-r15 fixed in 1.36.1-r17	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42364	LOW2.8	busybox 1.36.1-r15 fixed in 1.36.1-r19	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42365	LOW2.8	busybox 1.36.1-r15 fixed in 1.36.1-r19	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42366	LOW2.8	busybox 1.36.1-r15 fixed in 1.36.1-r16	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42363	LOW2.8	busybox-binsh 1.36.1-r15 fixed in 1.36.1-r17	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42364	LOW2.8	busybox-binsh 1.36.1-r15 fixed in 1.36.1-r19	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42365	LOW2.8	busybox-binsh 1.36.1-r15 fixed in 1.36.1-r19	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42366	LOW2.8	busybox-binsh 1.36.1-r15 fixed in 1.36.1-r16	0.4% Theoretical Threat	Post-Exploit
CVE-2026-6042	LOW2.8	musl-utils 1.2.4_git20230717-r4 fixed in 1.2.4_git20230717-r6	0.2% Theoretical Threat	Post-Exploit
CVE-2023-42363	LOW2.8	ssl_client 1.36.1-r15 fixed in 1.36.1-r17	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42364	LOW2.8	ssl_client 1.36.1-r15 fixed in 1.36.1-r19	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42365	LOW2.8	ssl_client 1.36.1-r15 fixed in 1.36.1-r19	0.4% Theoretical Threat	Post-Exploit
CVE-2023-42366	LOW2.8	ssl_client 1.36.1-r15 fixed in 1.36.1-r16	0.4% Theoretical Threat	Post-Exploit
CVE-2024-12801	LOW2.8	ch.qos.logback:logback-core 1.4.14 fixed in 1.5.13, 1.3.15	0.2% Theoretical Threat	Directly Exposed
CVE-2024-6197	LOW2.7	curl 8.5.0-r0 fixed in 8.9.0-r0	4.3% Low-Moderate Risk	Post-Exploit
CVE-2025-5399	LOW2.58	curl 8.5.0-r0 fixed in 8.14.1-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-5399	LOW2.58	libcurl 8.5.0-r0 fixed in 8.14.1-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-5025	LOW2.45	curl 8.5.0-r0 fixed in 8.14.0-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2025-10148	LOW2.45	curl 8.5.0-r0 fixed in 8.14.1-r2	0.5% Theoretical Threat	Post-Exploit
CVE-2025-5025	LOW2.45	libcurl 8.5.0-r0 fixed in 8.14.0-r0	0.2% Theoretical Threat	Post-Exploit
CVE-2025-10148	LOW2.45	libcurl 8.5.0-r0 fixed in 8.14.1-r2	0.5% Theoretical Threat	Post-Exploit
CVE-2024-50349	LOW2.4	git 2.43.0-r0 fixed in 2.43.6-r0	0.6% Theoretical Threat	Post-Exploit
CVE-2025-0665	LOW2.4	curl 8.5.0-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	curl 8.5.0-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0665	LOW2.4	libcurl 8.5.0-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2025-0725	LOW2.4	libcurl 8.5.0-r0 fixed in 8.12.0-r0	1.2% Low-Moderate Risk	Post-Exploit
CVE-2024-6874	LOW2.19	curl 8.5.0-r0 fixed in 8.9.0-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2025-27613	LOW2.19	git 2.43.0-r0 fixed in 2.43.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2024-6874	LOW2.19	libcurl 8.5.0-r0 fixed in 8.9.0-r0	0.8% Theoretical Threat	Post-Exploit
CVE-2025-46551	LOW1.89	rubygems:jruby-openssl 0.14.2 fixed in 0.15.4	0.2% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	busybox 1.36.1-r15 fixed in 1.36.1-r21	0.1% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	busybox-binsh 1.36.1-r15 fixed in 1.36.1-r21	0.1% Theoretical Threat	Post-Exploit
CVE-2024-32020	LOW1.68	git 2.43.0-r0 fixed in 2.43.4-r0	0.5% Theoretical Threat	Post-Exploit
CVE-2025-46394	LOW1.68	ssl_client 1.36.1-r15 fixed in 1.36.1-r21	0.1% Theoretical Threat	Post-Exploit
CVE-2025-46835	LOW1.58	git 2.43.0-r0 fixed in 2.43.7-r0	0.3% Theoretical Threat	Post-Exploit
CVE-2024-58251	NONE0	busybox 1.36.1-r15 fixed in 1.36.1-r21	0.2% Theoretical Threat	Not Applicable
CVE-2024-58251	NONE0	busybox-binsh 1.36.1-r15 fixed in 1.36.1-r21	0.2% Theoretical Threat	Not Applicable
CVE-2025-0167	NONE0	curl 8.5.0-r0 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
CVE-2025-46334	NONE0	git 2.43.0-r0 fixed in 2.43.7-r0	0.3% Theoretical Threat	Not Applicable
CVE-2025-0167	NONE0	libcurl 8.5.0-r0 fixed in 8.12.0-r0	0.6% Theoretical Threat	Not Applicable
CVE-2024-58251	NONE0	ssl_client 1.36.1-r15 fixed in 1.36.1-r21	0.2% Theoretical Threat	Not Applicable
GHSA-72hv-8253-57qq	NONE0	com.fasterxml.jackson.core:jackson-core 2.16.1 fixed in 2.21.1, 2.18.6	—	Not Applicable
CVE-2026-45205	NONE0	org.apache.commons:commons-configuration2 2.9.0 fixed in 2.15.0	0.5% Theoretical Threat	Not Applicable
CVE-2025-22233	NONE0	org.springframework:spring-context 4.3.30.RELEASE fixed in 6.2.7, 6.1.20	0.3% Theoretical Threat	Not Applicable